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ABSTRACT 



A loyalty file structure for a smart card includes any number 
of loyally files prcinstalled by a card manufacturer* Each 
loyalty file has a password, a file number, a label, an 
indicator of whether or not the file is currently being rented 
by a merchant a length indicator, a data format indicator, 
and a data region. An issuer creates a Unique password for 
each loyalty file on a card and then issues cards to customers. 
For customer enrollment at a point-of-sale, a merchant 
determines if a loyalty file is available. The- merchant 
password is seat to the issuer on-line in real time and is 
returned along with authorization from the issuer to replace 
tfcc password of the loyalty file with the merchant password. 
The file label is changed to a merchant identifier and the file 
is indicated a? tseing rented. The merchant sends payment or 
a credit transaction to the issuer for use of the loyalty file. 
For use with a loyalty program, a merchant terminal finds 
the loyalty file of a customer's card for thai merchant and 
reads or updates information witbin that file. The loyalty flic 
on a card is also used with electronic ticketing to store 
information pertaining to a purchased ticket. Upon later 
presentation of the card at an airline boarding gate, stored 
information ic the loyalty file is compared with the "same 
information downloaded from toe airline host computer. A 
match indicates a valid purchase and a boarding pass is 
issued. 

12 Claims, 9 Drawing Sheets 
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LOYALTY FILE STRUCTURE FOR SMABT California, it is unlikely thai any of tbe businesses he or she 

CARD patronizes would have set up a loyalty program with the 

large eastern bank because that bask is out of the area.. It is 
more likely that the California business win have negotiated 
FIELD OF THE INVENFHON 5 with local banks to produce a custom loyalty file structure oq 

The present invention relate s generally to smart car*, * smart card thM those bunM > can malx use toinpte- 
More ically, the present ipv.ntion relates 10 in*kmcn- a byalty program. Of course, it is possible that each 

tation of a value-added file structure on smart ear*. «odw could mainly a collecuon of smart cards from 

* * different banks that would allow that customer to enroll m 

BACKGROUND OF THE INVENTION 10 the loyalty programs of any number of businesses. 

, , » Realistically, though, customers will baDc at the idea of 

Many busmesses currently make use o£so-calJ B d "loy- c^^^^J^^cu^^b^^o^io^^ 
airy" programs thai reward customers for frequent purchase ^ ^ * } t 

of the busincss's products or services. Well known loyalty _ J . , T . . . 4 „ . _ T+ , 

primiddofefe^ ^refc^atec^ 

h>£ program* at hotels, programs* reward frequent * praters to toroU customers having smart cards Wany 
^rchaLatt^m issueriptUtloyaUyoperator^ 
useof a credit card-sized plastic c J ^ arT embossed ncedforaprc^ 

customer number to help liep track of a customer's pur- "wild **** J* ^rable for an . ^ to ^ aWc to 
chases- (Others even use smaller cards that may attach io a M «w »ftom legally programs mplementcd on sman cards 
key chain.) Others use a ougoeuc stripe card which can 20 15SUcd thc ,ssuer - ^ "^issuer *»? havin & w 

magnetically store informaiion such as customer name and P 8 *"*?, a^emeots or from having to dewge .custom 
ideriuWtionn^ Wif file strucmrcs^uch a tocAuique further aflow 

cte. Still other loyalty praams have been implemented a loyalty opeo tor to flejcibly define their own loyalty pro- 
usitigasmartcardmc^^^ „ to uuplemem loyalty W kcauon *ftwaic to its 

operator'splacc of business- Although some types of loyalty own liking. 

programs have been successfully implemented to date, there SUMMARY OF THE INVENTION 

are a number of disadvantages with the way these programs 

are currerjily implemented- To achieve the foregoing, and in accordance with the 

For example, previous loyalty programs require fixed or w pwposc of thc present invention, a loyalty file structure for 
precstablished relationships between a loyalty opexaior and sman car _ ds is disclosed thai obviates the need^ for 
an issuing bank. These previous programs have no fiexibiliiy predetermined, prearranged agreements between card isl- 
and make it difficult for the loyally operator to define and crs loyalty operators. 

roll out new- or improved loyalty applications. For one Th& present invention allows flexibility in implementing 
example, consider a large market chain thai wishes to 35 loyalty programs by a loyalty operator and eliminates the 
develop a loyalty program for its food stores in conjunction need to have custom prearranged file structure definitions 
wiih a regional bank. The market must first negotiate an between a loyalty operator and each card issuer- A loyalty 
agreement with the bank to provide a particular loyalty file operator no longer needs to negotiate an agreement with 
structure on a smart card (or magnetic snipe card), along each and every single issuer in order to have the issuer* s card 
with a set of available commands that the loyalty operator's ^ accepted in the loyalty program of the operator, i.e., a smart 
terminal can execute io ihc course of unplemcnutig the card need not be custom made for each loyalty program, 
loyalty application , The market must specify a particular file Xa C present invention provides mime reus advantages and 
structure with which its own loyalty application software an features. By providing any number of loyalty files on a smart 
work. The market must then write its loyalty application card, a loyalty operator is able to enroll a customer in their 
.software to work in conjunction with the file structure and 45 loyalty program regardless of the bank from which the card 
commands it has specified to be present on the card to be was issued. Loyalty operators can define their own loyalty 
issued by the regional bank. All of this negotiation and application software and determine their own level of sccu- 
specificaiion takes a . great deal of time and money In fact, riry needed, without having to predefine a security level 
once an issuing bank specifics a particular file structure and before the cai'd is issued. A loyalty operator is allowed 
interface for a loyalty application for use with a smart card, ^ access to a loyalty file on a smart card in real rime, thus 
it can take up to nine months for tbe integrated circuits to be permitting a customer to be enrolled and data to be trans- 
mainifacrored, embedded in smart cards, and finally returned ferred to or from the card while tbe customer is waiting- A 
to the bank for issuance to customers. loyalty operator cap also choose their own password for 

Funher compounding ihc problem is thai the large market access to a file and can decide their own level of security 
chain would like to have any and all of its customers take 55 needed for a particular file. Furthermore, no key exchange is 
part in its new loyalty program and sot necessarily just those required between the parties. 

customers who have smart cards issued from the regional The present invention also provides numerous advantages 
bank. It would not be feasible for the market to negotiate tarn the issuer's point of view. By allowing access 10 a 
with each and every bank issuing a smart card that may loyalty file on a smart card jo real time over an on-line 
appear one day in one of its markets. The market would like go connection, the issuer can make loyalty files available for 
to be able 10 accept any smart card used by one of its rent easily and quickly, thus generating revenue from all of 
customeis and have that customer enrolled in the market's cards issued, regardless of the geographic location of the 
loyalty program regardless of which bank thc customer uses. cardholder or the loyalty operator- Furthermore, the issuing 
Consider a customer who uses a smart card issued by a bank is relieved from having to either specify a custom 
large eastern bank because tbat is the bank that also provides 65 loyalty file structure implementation on a smart card and/or 
the customer with frequent flyer mileage for his or her airline having to negotiate agreements wiib each and every loyalty 
of choice. Even though the customer lives and shops in operator. 
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In one embodiment of the present invention, any number at a customer point-of-convenience and then later receives 

of loyalty files with standard header information and vari- those goods and/i>r services by showing appropriate autbo- 

ables arc implemented in a memory of a smart card before rization. 

the smart card is issued to a customer- The structure of a „ T , 0 ^„ <TV _ I ^ f ^_ 
loyalty file and the basic commands used to interface with 5 DET^L£D ^CWFnON OF THE 
the loyalty file are known beforehand by the smart card ttCVENTlON 
issuers, by acquiring banks, and by loyalty operators ibar are j n 0tte p 3n j cu j ar embodiment of the present invention, a 
developing loyalty application software. When a customer gj e stpsclllrt implemented on a smart card in such a way 
uses a smart card in conjunction with a merchant, the as to ^p^c implementauoa of a loyalty program by a 
merchant terminal determines whether a loyalty file is 10 aiercbaut.In a bioader sense, the improved file structure of 
available for use. If so, the terminal is able to go on-line in llie present invention is applicable not only to loyalty 
real time to communicate with the issuer to receive a programs, but to virtually any situation m whkh a merchant 
password to allow access to the selected loyalty file and or olber em j ly desires to rent, lease, control, or otherwise 
other identifying information. In this fashion, the issuer can m ^ ai ^ of a ^ 0D a sma rt card access to which is initially 
keep control over the use of particular loyalty files on smart 15 controlled by ihu issuer of the smart card. As used herein, 
cards and keep track of which loyalty operators bave "loyalty" refers not only to those traditional loyalty pro- 
enrolled which customers in loyalty programs. The loyalty gTAn ^ ma t have been implemented, but also to any situation 
file on the smart card is made available for use by the loyalty ^ ^hick a merchant or other entity desires 10 make use of 
application software of the loyalty operator and mexebange, me file structure of the present invention. In this sense, the 
the loyalty operator makes a payment to the issuer. From this 20 pieseilt invention provides a value-added file structure. One 
point on, the loyalty operator makes use of its own loyalty ^ncb ^pediment for ticker purchase confirmation is prc- 
applieation software to read from and/or write to the loyalty scnicd below, and other embodiments arc also described. To 
file on the smart card any data it desires. illustrate one possible use of the invention, use of a rented 
In another embodiment, a loyalty file on a card is used file in a loyalty program of a merchant will be described 
. with electronic ticketing to Store information pertaining to a & below in detail, 
purchased ticket over the Internet. Upon later presentation of 

the card at an airline boarding gate, stored inform* lion in the Sm&n Cards 

loyalty file is compared with ibe same ^formation down- e ia VCnliDI1 * applicable to smart cards. Also 

loaded from the airline b^ JLXS!^^ 

vabd purchase and a boarding pass is 3 ssued. *> processor cards, a smart card is typically a credit card-sized 

BRIEF DESCRIPTION OF THE DRAWINGS P lastic ^ liat includes one or more : semiconductor inie- 

grated circuits. The smart card may be programmed wiih 

Tie invention, together wiih further advantages thereof, various types of functionality , such as a stored -value 

may best be understood by reference to the following 25 application, a ere dir. or debit ' application, a loyalty 

description taken in conjunction with the accompanying application, cardholder information, etc. Although a plastic 

drawings in which: card £3 currently the medium of choice for smart cards, it is 

FIG. 1 illustrates a card issuance scenario according to contemplated thai a smart card may also be implemented tn 

one embodiment of the present invention. a.smaller form factor, for example, it may attach to a key 

HG^Aillustratessymb 49 ^^bt^^U^^m^Aw^u^j^o 

within a loyally program implcmentadon system when a b< ; itemed as part of * *pU 

J.; A / L^Z Jrl ILLk™, f ft ,rh^ flVttt™^ K^fn^ telephone, or lake a different form. The below description 

toe omer ^ pwscn t invention is applicable to a wide 

FIG. 2B Ulusirates an example of a terminal. ^ mge 6f ly £ 5 of smart cards. 

FIG- 3 illustrates an example of a loyalty file suitable for a smart card may include a microprocessor, random 

use with one particular embodiment of ibe present invention. uCCC5S mem0 ry (RAM), read-only memory {ROM), non- 

F1G. 4 Ulusirates one particular example of the type of volatile memory, an encryption module (or arithmetic unit), 

data that may be stored wilhin a loyalty file. an d e card reader (or terminal) interface. Other features may 

FIG. 5 is a flow chart illustrating one embodiment of the 50 he present such as optical storage, flash EEPROM, FRAM, 

invention in which a smart card is manufactured, loaded a clock, a random number generator, interrupt control, 

with software, personalized and issued to a customer. control logic, a charge pump, power connections, and inier- 

F1G. 6 is a flow chart illustrating one technique by which <*>ntacts that allow the card to communicate with the 

a customer is enrolled in a teyaltv program. <msi * : 0f coutsc ' flsmaft ***** may be implemented 

FIG, 7 is a flow chan iUustratmg an example of bow a * lKm ^ y *** * 

customer enrolled in a mercy's loyalty program may pro^T or other features. 

make use of that program. microprocessor is any suitable central processing unit 

FIG SAulustmtesaqueryfromaterminalloaloyaliyfile for commands and controlling the device. RAM 

? - * .rTi * *J Zi serves as teniponuy storage for calculated results and as 

as to whether that particular file lS available for use by the ^ ^ mcmory ^ fitorc * lbe ope^ syslcm> fixcd dau, 

merchant, standard routines, look up tables and other permanent infor- 

F1G- 8B iUustrates the transfer of a loyally operator ma tion. Non-volatile memory (such as EPROM or 

password from a terminal to a card. EEPROM) strves to store informaiion that must not be lost 

FIG. 8C illustrates an encrypted password being passed when the caul is disconnected from a power source, but that 

back to a loyalty file in a card via a terminal. s $ ro u£i also be alterable to accommodate data specific to 

FIG- 0 illustrates an alternative embodiment in which a individual cards ot changes possible over the card lifetime, 

customer purchases goods and/or services from a merchant This information includes a card identification number, a 
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persona! identification number, authorization levels casb entities with which ii performs transactions. The below 

balances, credit limits, and other hlnrmation that may need description often uses the teem "merchant" for case of 

to change over time. An encryption module is an optional explanation. 

hardware module used for performing a variety of encryp- Cardholder file 120 is any suitable database Hie such as 

uoq alcorimms. Of course, encryption may also be per- s are known in the art ibr containing records of information 

formed io software. Applied Cryptograpliy, Bruce $cbneier, pertaining to each cardholder to which issuer 102 has issued 

John Wiley* Sons, Inc., 1996 discusses suita blc encryption car( fe. For example, cardholder record 122 illustrates a 

algorithms and is hereby incorporated by reference. portion of a record for a particular cardholder found in file 

The card reader interface includes the software and hard- 120. Shown associated with the cardholder's primary 

ware necessary for communication with the outside world. 10 account number (PAN) are passwords that corrc- 

A wide variety of interfaces are possible. By way of spond io the passwords stored in conjunction with, loyalty 

example, the interface may provide a contact interface, a files 106-112 on smart card 104. 

close-coupled interface, a remote -coupled interface, or a Passwords may be generated by the issuer for particular 

variety Of other interfaces. Witb a contact interface, signals loyalty files on a smart card in a wide variety or manners. In 

from the integrated circuit are routed to a number of metal 35 0dC tin bodifflepl of the invention, a password is derived for 

contacts on the outside of the card which come in physical a particular loyalty file using the cardholders PAN and a 

contact with similar contacts of a card reader device. Asmart unique number corresponding to the loyalty file. In this 

card may include a traditional magnetic stripe to provide manner, a unique password is generated for each loyaUy file, 

compatibility with traditional card reader devices and Because a password for a given file can be derived from* the 

applications, and may also provide a copy of the magnetic 30 PaN, the issuer need poi necessarily store the passwords in 

stripe informaiion within the integrated circuit itself for a cardholder record. Of course, an issuer may store pass- 

compatibility- words if desired, or may generate ihem when' needed. 

Various mechanical and electrical characteristics of a Advantageously, having passwords associated with loyally 

smart card and aspects of its interaction with a card reader files that are generated by, and only known to, the issuer 

device are described in Smart Card Handbook, W. Rank! and 15 allows an issuei to retain control over the use of a particular 

W. Effing, John Wiley A Sons, Lid., 1997, and are defined loyalty file. Such control allows an issuer to rent, lease, or 

by the following specifications, all of which are herein otherwise derive revenue from a loyalty file when used as 

incorporated by reference; Visa Integrated Circuit Card pan of a loyally operators loyalty program. For 

Specification, EMV Integrated Circuit Card Specification convenience, throughout this disclosure such rental, leasing 

for Payment Systems, EMV Integrated Circuit Card Termi- 30 or other use of a loyalty file will be referred to genetically 

nal Specification for Payment Systems, EMV Integrated as "renting" the file. 

Circuit Card Application Specification for Payment pjQ. ZA illusirates symbolically the Bow of information 

Systems, Visa International Service Association 1996; and within a loyalty program implementation system 200 when 

International Standard; Identification Cards--*Integrated a smart card 104 is presented to a merchant for tbc first time 

Circuits) Cards with Contacts, Parts 1-6, International and the cardholder is not yet enrolled in the merchant's 

Standards Organization 1987-1995, loyalty program. Information is transmitted from smart card 

104 through a loyalty operator terminal 202 via a commu- 

Overview nications network 204 to issuer 102. 

The recem advent of smart cards has made it possible for 40 Terminal 202 may be any suitable tenmnal such as are 

larger amounts of data to be stored on a card and for the card known in the art for reading from, and writing to, a magnetic 

to perform more sophfeticated processing. It is realized that 5*rip e «^d, a hman card, or the like. By way of example, 

smart cards provide many advantages to merchants, custom- terminal 202 is a terminal manufactured by Vcrifone, 

ers and issuers: faster and more secure transactions, value Hypercom, NCR, or other manufacturer that produces a 

added services present on the card, the ability to implement 45 similar terminal. An example of a terminal 202 is provided 

a variety of applications, etc. Embodiments of the present in FIG. 2B. For ease of explanation, the below description 

invention can make use of these and other advantages v«ill discuss u,ve of the invention with a merchant terminal, 

provided by smart cards through the use of an improved Communications network 204 may be any suitable com- 

loyalty file structure, mumcations network that allows communication between a 

FIG. 1 illustrates a card issuance scenario according to 50 merchant terminal and issuer 102. For example, cgmmuni- 
one embodiment of the present invention. In this cation media such as telephone lines, cable, fiber optic, 
embodiment, an issuer 102 issues a smart card 104 to a microwave, SiUcllite, etc., may be used. Existing networks 
customer that contains a loyalty file structure according to an such as ATM networks, the Internet or propriety networks 
embodiment of the invention. Issuer 102 to ay be any suitable may be used. In one embodiment of the invention, network 
issuing entity such as a bank, financial instinition, a service ss 204 is implemented using VisaNct, an existing global clear- 
association, a merchant or other organization, or even an ing and settlement system provided by Visa International 
agent acting for an issuer: Smart card 104 includes any Service Association (Visa International) of Foster City, 
number of loyalty files 106-112, each associated with its Calif. 

own password. Although each password may be the same for When smatt card 104 is used in merchant terminal 202 it 
each loyalty file on a given smart card, preferably each 60 may be mat the cardholder is not enrolled in the merchant's 
password is distinct for every loyalty file of a smart card. loyalty program. If the customer would like to enroll in the 
When a customer uses smart card 104 in conjunction witb a loyally program, a request from the merchant is transmitted 
loyalty operator's business, a particular loyalty file will be from terminal 202 to issuer 102 which then prepares appro- 
used to implement an embodiment of the invention. As used priate information and commands to allow the merchant to 
herein, a loyalty operator may be any merchant, company, & begin renting a particular loyalty file 106 on card 104. This 
business, individual or. similar type emiiy, that desires to ^formation ;mdj»rnniaods are_thcti sent back from issuer 
implement a loyalty program for its customers or other 102 !tO merchant terminal 202 and cvcomally to card 104. At 
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ihispoiw, the curfholderposscssfae card 104 is able to take personal digital assistant (PDA) such as those mads by 

advantage of tee merchant's loyalty program wing loyalty Apple Computet, loc. VS. Robotics or 3Com, 

file 1W on card 104 that has just been .assigned. Ia one p„ mfl i, 

embodiment of the invention, io conjunction witb this inter- Loyalty ftle fcxampie 

change (or sometime soon Ihcreafier, or even beforehand), j pj G 3ilhisfrales m example of a loyalty file 300 suitable 

the merchant makes apaymeni Jo issuer 102 Bx the right .to fof ^ ^ Q|ie articulsl . e mbo<3iirt«nt of the present 

rent and make we of a partcntar loyalty fita on ortlM. kvwnfap. Lo ya j ly me300 is one example of how a file may 

Preferably, the loyalty file is for the exclusive us* of the ^texnM appreciate that such a file 

merchant's loyalty program. In this fashion, a merchant is fce ^ m B Mmber ^ dificrtm v„y S . For 

able to make use of a loyalty Cle on a customer's card in real l0 ^_ ^eular loyalty file may be partitioned in any 

time, and the issuer is ab e to recede payment for mafang «™?P * ^ pJograra operator and may have any 

such a loyalty fiU available. FurtSennofe these loyalty files .JJiX ^Vules associated witb it. 

a ^^^ ma y^P^ D, ?^™ y,y ^? v r ^^T^ Fuitoermore, each loyalty file may store variables directly 

byanybatdccffinarrtnalinsr,^ ^ } ^ these variables in a separate 

the merchant or the .saier to jointly specify a toy ally file lS a* variables arc am associated with the 

structure or to negotiate an agreement beforehand. In otbet - rj: 

^stav* Sif ^ ^ " OT ° tber ^ Associated witb W file 300 is 302 that is - 

TG.ffiillusir,t« an example of a tennmal 202 suitable £ PP * d 5J^^ 

far » «M an embodiment of ib. present invention. In M wort JW may be diner* ^.^ n _^.^-* » 

gLral, the present invert is applicable for us* with a * embody it m ^^ji^^^J^^ 

may bV airy suitable interface device that functions to „ variable 312 and a data region 314. ^ 

• hansfcr ^formation and command between a smart card . File number 304 is any suitable number or identifier that 

and a user and/or a computing device. A terminal may also helps to distinguish one loyalty file from another gn agivco 

igierface to a magnetic stripe card. A terminal may be a smart card. By way of example, file number 304 may be one 

non-intellkeni device that simply provides power to a card of a sequential scries of cumbers for loyalty files on a smart 
and facihtatcs ihe tranter of information, or may be as 30 card. For example, if there arc ten loyally files on a ^smart 

complex as a merchant urmieai mat includes a processor, card, these files could be numbered 1-10. Label 306 is an 

application software, and the ability to comrounieate over a identifier ibat helps to identify the merchant who has rented 

network. ' a particular loyalty file. For example, should the market 

Terminal 202 includes a card reader interface 250, a ^ Safeway rent a loyalty file on a smart card label 306 
processor 252, a memory 254, a security module 756, a 35 woKW be replnced by the wc-rd ''Safeway^ a unique idcn- 

com^catiou interface 258 and an optional user interface tifier for mat merchant, a secret code tha Us ^pnly. 

260. Card reader interface 250 accepts an inserted smart card . merchant, or any crier suitable identifier for that mer- 

and provides electrical connectioa from the terminal to the chant. B t t 

card contacts- For those contaciiess cards, interface 250 The Boolean flag Rented? 308 indicates whether or not 
provides cpmmnmcation between the card and terminal 40 ^particular loyalty file 300 has been rented by a merchant 

using other techniques. Processor 252 may be a simple and is befog exclusively used by the loyalty program of that 

rnicroprocessor or a single-chip computer. Processor 252 merchant. Alternatively, multiple merchants and/or loyalty 

controls card reader interface 250, administers user interface operators may arrange so that more than one merchant may 

260 establishes a connection to a higher level system, and have access to a file, and a suitable variable would indicate 
in general controls operation of terminal 202. Memory 254 45 this situation. One merchant or loyalty operator may also 

may be any suitable type of memory such as RAM, ROM rent more than one file. Length 310 indicates the total length 

and EEPROM, and preferably stores loyalty application m bytes. won)s,biis, or other suitable unit of loyalty file 300. 

software that implements the merchant's loyally program. In other embodiments, length WO indicates the length of the 

Optional security module 256 contains keys used in encryp- header information preceding data in the file, indicates the 
tion algorithms and is typically mechanically and electri- 50 length of daia only, or indicates the length of another 

catty separate from the rest of terminal 202, Module 256 suitable portkm of the file. 

may be a single-chip computer in a protective housing or Transparent/fixed variable 312 indicates whether the file 

even a smart card- Commnnication interface 2SS may js organized in a transparent or fixed formal. ^As is known Id 

include an electrical or optical connection to a local the art, files on smart cards arc generally implemented in 

computer, or telephone connection via a modem (or cellular) either a transparent or a fixed format. Under a transparent 

to a remote server computer. Interface 258 may also be fomiat, software that is reading from, or writing to, a file 

implemented using other technologies such as microwave, needs to know the name of the file, a displacement within the 

radio, infrared, etc. User interface 260 includes a keyboard file, and length of data to be able to accurately find or write 

and display screen. Terminal 202 may also include a real- information- Under a fixed formal, files are organized using 
lime clock. 60 records; thus software reading from, or writing to, a fixed file 

A terminal may take any of a variety of physical forms needs to know ihe file name and the record within the file 

such as a stand alone unit, integrated with a computer, from which data will be read or to which data will be written- 

auached to the keyboard of a computer, a PCMCIA card, or It should be appreciated that other file formats may also be 

even buih in 10 a floppy disk-sized unit capable of being read used and variable 312 may indicate any of a variety of 
from a disk drive of a computer, etc, furthermore, a terminal 65 formats. Although a number of specific variables have been 
may also be embodied in any portable device such as a . illustrated in conjunction with loyalty file 300, it should be 

laptop computer, a cellular tclcphooc, or any variety of a appreciated loaf any number of other variables may also be 
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used id coajunction with file 300 to assist in implementing Tn step 504 the chip operating system and any optional 

the invention, or that fewer variables may be needed or applications desired arc installed onto the chip on the card, 

modifications of these variables may be introduced. Preferably, an encryption algorithm is also installed onto the 

' „« - , _ , ■ - chiti for use in decrypting information that the card receives 

flG.4i1hi^^ aKc^tirg^orrialionthai^ 

data that may be stored vath* a loyalty file. DaU section 314 i Variety of encryption standard/ and tech- 

of file 300 may include a wide variety of informal niques 6 may ^ U5cd as those described in Applied 

pertaining to the cardholder, any number of merchants, c^ography referenced above), preferably the encryption 

purchasing history, etc. By way of mcample, data secuon 314 algorithm defined by the Data Encryption Standard (PES) is 
includes: a loyalty number 402 indicating lo a merchant's 

loyalry program toe Testification of a particular customer; ™ Slqj ^ insla]fe a varicry of commands that arc pan of 

name of customer 404; age of customer 406; and gender of ^ c ^ operating system to support one embodiment of the 

customer 408. Of course, not all of this information need be loyalty file structure of the present invention. Although step 

present and ii is entirely possible that a great deal of other $96 appears as a distinct step for clarity of explanation, 

customer and marketing-type information may be included preferably these commands are installed along with the chip 

within file 300. Also included within 'file 300 is a variety of 15 operating system and form a subset of functionality within 

information pertaining to a customer's babiis with a par- thai operating system. These commands are implemented by 

ticnlar merchant. For example, file 300 may abo include: the operating system to perform various reading and writing 

number of visits 410; a list 412 of what a customer purchases functions with respect to loyalty files stored on the card- 

(Le., shopping habdis); the number of points 414 a customer Available as operating system level commands, they may be 

has accumulated (such as frequent flyer miles, number of »- called by loyalty operator application software located in a 

nights stayed at a hotel, etc); an award counter 41«* indi- terminal or other card reader device, by software running op 

eating a potential award that the customer has accumulated; * personal computer, by software implemented by an issuer 

preferences 420 indicating customer preferences with regard or other entity managing the loyalty file structure, or by any 

to a particular product or service of the merchant; and a of » vadejy of other software running on computers or 

crctff value 422^^^ * omer saaartxard interface deuces For e*amplc^fiware 

W ~V, . . , b running within a merchant terminal would use these com- 

particutar mercnanL ^ ^ of iDlcraCtillg ^ a customer's card in 

For those merchants which sell tickets or other passes to mc terminal for purposes of iroplementing a loyalty pro- 

a customer for an event, service, navel, etc, ticket infor- &zm. 

matioo 424 stores any information pertaining to that ticket. These loyalty file structure commands may be implc- 
For example, for purchase of an airline ticket, information 4 mCD tcd in any suitable language used by the chip on the 
such as flight number, seal assignment, confirmation smart card and can perform a wide variety of functions. It 
number, frequent flyer number, etc, may all be stored within ^ ^ ap p fcc int c d that thes* commands illustrate in general 
file 300. It is also possible for a cash value 426 to be stored fa functionality used to implement the present invention, 
within file 300 for use by a customer whcD purchasing goods ao d that their specific names arc arbitrary and may change, 
or services, Cash value 426 is incremented when a customer Furthermore, other commands implementing similar rune- 
loads cash value onto the card, and is decremented when the lionajity may also be used to implement the present inven- 
customer uses cash value 426 to purchase goods or services tion _ ln onc embodiment of the invention, these commands 
from a merchant Medical and other personal information include the Jgllowing functions: Search .Files, Install 
42S and 430 may also be stored on the card, ^ password, Change Password* Change .Label, Change 

Preferably, an organization wishing to help establish Rented?, Read Data, and Write Data, 

loyalty programs using features of the present invention will The Search Files command is used to find loyalty files on 

define a particular file structure beforehand, A spec^catfon a smart card that have not yet been rented by another 

of the defined file structure should then be made available to merchant's loyalty program. This command does not nec- 

issuing banks, acquiring banks and to merchants implement- ^ essarily need any input parameters and returns as an output 

mg a loyalty program. In one embodiment, the organization * ]jst of one or more loyalty files found on the card that are 

defining the file structure is a payment association such as available for use by a merchant. In a preferred embodiment 

Visa International. oE the invention, this command reads the Boolean flag 



Card Issuance and Use 



Rented? 30$ of each file to determine If a loyalty file is 
already in use or not, 

FIG. 5 is a flow chart illustrating one embodiment of the The Install Password command allows an issuer to install 

invention in which a smart card is manufactured, loaded the initial password for each loyalty file on a card. Typically, 

with software, personalized and issued to a customer- The this is a personalization command used only by the issuct 

steps described below need not necessarily be performed in when the card is in a personalisation machine before issu- 

thc order described and could be performed entirely or in ance to a customer. This command accepts as input pararrj- ' 

pan by a manufacturer, a card issuer, or another party. eters an initial password for the loyalty file and the loyalty 

In step 502 a card manufacturer embeds a chip into a file number on the card. The output of this command 

smart card Those of skill in the art will appreciate that this indicates whether or not installation of the password was 

Step can be performed by any suitable card manufacturer successful. As is common with personalization commands, 

using any of a variety of integrated circuits and in many ea once Install Password has been used by the iwuer to set the 

different ways. By way of example, the chip embedded into initial password for a file, it can no longer be used by another 

the smart card b any suitable integrated circuit and is entity. This safeguard prevents an unauthorized parry from 

preferably a processor chip that contains a microprocessor. gaining access w a loyalty file by resetting the password, 

Examples of chips that may be used are those manufactured Should a merchant or any fururc terminal attempt to use this 

by Hitachi, Siemens, Motorola,, Thompson, etc. 65 command, the smart card will reject the command. 

Furthermore, any of a variety of card manufacturers may be The Change Password command is used with authorica- 

USCd such as Gcmplus, Schlumbcrgcr, Bull, G&D, etc. tion by the issuer in real time to change the password for a 
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particular loyalty file on a smart card while the card is 
present in a merchant terminal. This command allows the 
initial password installed by the issuer to be replaced by a 
password known 10 the loyalty operator so thai the loyally 
operator may begin to use the loyalty file on the card. This 
command takes as input parameters a new password and a 
loyalty file number. The command outputs an indication of 
whether or not the changing of the password was successful. 
Preferably* this command is given using a secure messaging 
technique to ensure that it may only be used with authori- 
zation from the issuer, in one embodiment, an encryption 
key shared only between the issuer and the card (to be added 
during personalization) is used to ensure that this command 
is authorized by the issuer. 

The Change Label command allows label 306* on a loyalty 
file to be changed to reflect an idemification of the merchant 
that is now using the loyalty rUe. This command accepts as 
input a new label and a loyalty file number. An output 
indicates whether or not the command was successful. The 
command may also be used to erase a merchant identifier or 
lO return the label 10 an initial State. Tnc Change Rented7 
command allows Rented? flag 30ft to be changed to indicate 
thai cither a file is now in use, or is available for use. The 
command accepts as input a loyally file number and outputs 
an indication of success. 
' * * In one embodiment, once the loyalty operator has been 
authorised to replace the password for a particular loyalty 
file with one Of its own using secure messaging, the Ope rator 
may then give the Change Label and Change Rented? 
commands. In an alternative embodiment, each of the 
Change Password, Change Label and Change Rented? com- 
mands may only be executed by a merchant terminal with 
the proper authorization from an issuer using secure mes- 
saging- These various levels of security allow an issuer to 
maintain control over which loyalty files on a card arc being 
rented to wham, and allows an issuer to ensure mat fees for 
renting a loyalty file are being properly paid. An issuer may 
also take other steps for control as needed. 

The Read Data command is used to read any information 
contained in data portion 314 of a loyalty file for use by a 
merchant ra implementation of their loyalty program. The 
read data command accepts as input a file number and either 
a displacement -and lengthy or a record number depending 
updn whether the format of the file is transparent or fixed. 
This command returns as output the data found" at that 
location. Tbe Write Data command is used to change data 
within data portion 314. As with the Read Data command, 
tbe Write Data command accepts as input a location within 
data portion 314 to be changed, and also accepts a new data 
value to be written to that location. An output indicates 
■. whether or not tbe update was successful. In a preferred 
embodiment of the invention, the Read Data and Write Data 
commands may only be executed by an authorized entity. 
For example, only an issuer or a merchant knowing the 
password associated with a particular loyalry file may read 
data or write data contained within data portion 314 of that 
loyalty file. Such an arrangement allows information con- 
tained within a file to be kept private, and ensures that only 
those merchants who have paid a fee (or who have made 
some other arrangement or have obtained permission) to the 
issuer may make use of a loyalry file On a card. 

Step 50$ constructs or otherwise reserves space for any 
number of loyalty files in a memory of the chip on the card. 
In a preferred embodiment of the invention, a loyalty file is 
organized as shown in FIG. 3, although a wide variety of 
other formats may also be used. Preferably, loyalty files are 
implemented in memory that may be both written to and 
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read from, and is static in nature. More preferably, the 
loyalty files are implemented in an EEPROM on the chip. At 
this point, the smart card is ready for delivery to the issuer 
for personalization and later issuance to a customer. Of 
s course, it is conceivable thai the chip manufacturer or other 
entity may also perform, the following steps. 

In step 510 the card is personalized. A personalization step 
for a card will be femiliar to those of skill in the art and may 
be performed in a variety of manners. By way of example, 
10 card personali2Aiion includes embossing the card with the 
customer name, an account number and expiration date. This 
and other informalioD may also be added to a magnetic stripe 
on the card if present, and to memory within the chip on the 
card. Other personalization steps include setting necessary 
parameters for any pre-deiermined applications, such as 
15 credit, debit, or stored value. 

Preferably, the issuer also adds an encryption key to a 
secure location within the chip thai will be shared between 
the chip on the card and the issuer. This encryprjoo key can 
then be used for later secure messaging between tbe smart 
zo card and the issuer. For example, use of tbe eccryprion key 
by the smart card allows the card to receive encrypted 
information from the issuer, and to decrypt it with the 
assurance that the information and/or commands contained 
wittdn have been authorized by the issuer. By the same 
26 token, encrypted information received by the issuer from the 
smart card can be decrypted by the issuer using the shared 
encryption key with- the assurance that the decrypted irjfor- 
mahon has been transmitted by a valid smart card that cad 
previously been issued by the issuer. Any number of types 
30 of eiicxyption keys may be used. In a preferred embodiment 
of the invention, an encryption key using the Data Encryp- 
tion Standard (OES) is used. 

In step 512, i he issuer creates a password for each loyalry 
flic on the card and installs these passwords on the card in 
association with their respecdve loyalty files. The issuer may 
35 create passwords for each loyalty file using a variety of 
techniques. In a preferred embodiment of the invention, a 
DES key is used with the customer's primary account 
nurnber (PAN) in order to derive a suitable password for a 
loyally file. Id a more preferred embodiment, a password for 
id a particular loyalty file is derived from both tbe PAN and the 
loyalty file number to produce a unique password for that 
loyalty file on the card. In this fashion, an issuer will later be 
able io derive a particular password for a loyalty file 
knowing only the customer's PAN and the loyalty file 
45 number and will not need to store or otherwise archive 
passwords for loyalty files. Once these passwords have been 
created, each password is installed on the smart card in 
association with the loyalty file to which it corresponds. In 
a preferred embodiment of the invention, ihe Install Pass- 
so word command discussed above is used to perform, this 
function. Preferably, no read from or v/rite to a file is 
allowed unless its password is presented. Once this step has 
been completed, the card is ready to be issued to a particular 
customer for use in commerce. 
55 Advantagcimsly, the above steps that make loyalty file 
commands available in a chip operating system and help 
implement a loyalty file structure on a chip may be per- 
formed by any entity in the smart card manufacturing and 
issuance process. Benefits to the customer include having a 
60 smart card that is now ready to take part in any loyalty 
program of a merchant that wishes to make use of the loyalty 
files present do the card. One benefit to tbe merchant is that 
an customers holding such a smart card with a loyalty file 
structure wDl be able to take part in that merchant's loyalty 
65 program regs rdless of the issuing bank and without the need 
for the merchant to negotiate a prior agreement with an 
issuer. 
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Preferably, the formal used for the loyally file structure one crnbodimeni of the invention, the loyalty application 

and the commands installed arc communicated to issuing uses tbe Search Files command to Jock for a loyally file 300 

banks, acquiring banks, and merchants who wish to make whose Rented? flag 308 is false. If no available file is found 

use of the loyalty file structure to implement their loyalty (indicating that all of the loyally files on card 104 are 

program. In one embodiment, this specification is handled 5 currently in use by other merchants) then card 104 is 

by Visa International, rcnirnca to the customer. If one or more available loyalty 

A merchant may then write loyalty application software files arc found op the card, then enrollment of the customer 
using any software and of any. design that the merchant may begin. TUc merchant may decide to use only odd loyalty 
desires. Preferably, this loyalty application will be resident file 300 for use with his loyalty program or decide to rent 
within read-only memory within a merchant terminal. As* l0 more than or* file it available. Tbe merchant may decide k> 
will be appreciated by those of skffl in.the art, any suitable P£l«« more than one file with the same password or wrtb 
application running within a merchant terminal or on a card different passwords.- . 
reader may be used to interact with a smart card and to, U * conceivable at this pomt that once an available file 
communicate on-line and/or in real time with a card issuer, °« found thai the merchant's loyalty application 
By way of sample, current communication protocols for 1S «ft«; ,™jr be ^ J^l" 
use between a credit card terminal and an issuing bank may cbant itonfier, set Ren cd? flag MS to true, change pass- 
use oerween a crcoii ra ^™ ma V^^^^» uTZLT^Z word 302 to a password known only to the merchant, and to 
be used in a similar fasten in an embodxmem of the present ^ £ ^ reading data from dau ponion 314 
iirvcnu OT mallow*^ oflbecard^n a preferred embodiment, however, the mer- 
an issuer. As described below , tfie loyalty apphcacon soft- cbaQl fe nol Mlowed ta ^gjp usirjg a loyalty 6 le 
ware makes use o£ a variety of the commands that have been ao ^e^ty ^ muS1 rcoe i vc authorization through an 
instated in the chip operating system ip implement the issuer so that the issuer is aware of who is renting which 
merchant's loyalty program. particular loyalty file on the customer's card and may 

FIG. 6 is a flow chart illustrating one technique by which receive the revenue for mat rental due the issuer, 

a customer is enrolled in a loyally program. In this scenario, The following steps illustrate one technique by which a 

the customer is in possession of a smart card having a loyalty & merchant indicates to an issuer a particular loyalty flic that 

file structure as described above but is not yet enrolled in a the merchant wishes to rent, and by which the issuer returns 

loyalty program for a particular merchant. In step 602 the authorization and the ability for the merchant to begin using 

card is inserted into the terminal. Alternatively, if a contact- the loyalty. Of course, other similar steps and techniques 

less smart card is used, the card may be presented to, or may also be used to perform the same general function, 

otherwise passed by, a terminal. The card may be inserted 30 Advantageously, the following steps require no prearranged 

into or presented to the terminal for any of a variety of agreement between the merchant and the issuer and no 

reasons. For a typical payment transaction, the customer prearranged key management. Also, the Mowing steps are 

inserts the card into the temunal so that funds or points may prel«rably performed in real-time while a customer is wau- 

be deducted from the card or so thai a credit payment *W ™ h ^ 01 b " ««> » * c twnnnal. Tl* abihiy for a 

transaction may take place. Alternatively, the customer is 35 ^f** 01 * *™ U a ?? 5l0mcr m t * P£grarn ui 

making the payment via cash, debit card, check, etc, and the sfeo P"™dc payment to, an issuer ^ for such a 

7? v. - ^ f _ . ~~ . . 1 r„ c service at the same time is one advantage of the present 

card is being inserted into the terminal for the purposes of - ^ . 

. . ... invention, 

enrollments the loyally r Program. § ^ 2 02 sends the loyalty operator 

In step 604 it is determined whether to solicit the customer passw6n f te raf d 104. The loyalty operator password is any 

to enroll in the loyalty program. This step may be performed *o password thai the merchant uses for identification 

in a variety of ways and may even be optional. For example, ^ fa exclusive access to a Joyalty file 300- The password 

die clerk or loyalty application software within memory 254 may ^ c a password usc^ by the merchant, or it may be 

of terminal 202 may automatically ask the customer whether generated or derived in real time as the enrollment is being 

he or she desires to take part in the merchant's loyalty processed. In step 612 the loyalty operator password is 

program. This solicitation may occur even before it is 45 combined with iibc file password for the available loyalty file 

determined whether any available loyalty files exist, whether to produce a combined result, this result is then returned to 

the customer is already enrolled, or before any other infbr- the terminal. Combination of the two passwords and the 

matiou is delcnnmed. Preferably though, the clerk and/or the communication of the result back to the issuer and the 

loyalty application performs a few checks to determine eventual receipt of a new password for the loyalty file may 

whether it is suitable to solicit the customer's enrollment. 50 be performed in a variety of manners. By way of example. 

For example, the bank identification number on the card can such steps may be performed as described below with 

be checked to make sure that the customer is local and will reference FIGS. SA, 8B and SC. The particular technique ot 

be frequenting the merchant's business often. It may not be algorithm used 10 combine the loyalty operator password 

desirable for a merchant to solicit the enrollment of a with the loyalty file password is preferably known to ibe 

European customer who is only present and buying goods 55 issuer. Thus, because the issuer knows this technique and is 

within California for a short period of tune. Also, if a also able to derive (or has stored) the particular loyalty file 

customer's card is due to expire soon, the merchant may not password, the issuer wfll be able to recover the loyalty 

wish to spend tbe time and money in renting a loyalty file on operator password. In an alternative embodiment, ibe loyalty 

the card. Other parameters and information may also be operator password is either encrypted by the customer's PIN 

checked before this solicitation occurs. If it is determined «o entered into the terminal or the derived DES key shared 

not to solicit the Customer, tbe customer is not enrolled and between the card and the issuer. In another altera alive 

the transaction may be completed. embodiment, the merchant need not send the loyalty opera- 

If it is determined that the customer should be solicited, tor password to the issuer, but still receives authorization 

in step 606 the terminal searches tbe card for an available from the issuer and the ability to replace the file password 
loyalty file 300 for tbe merchant's loyalty program to use. Of ti5 with the loyalty operator password. The issuer may even 

course, this siep could also take place before solicitation in transmit the tile password to the merchant for use (ue., leave 

step 604 to make sure that a loyalty file 300 is available. In it unchanged). 
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In step 614 the terminal forwards the combined result Now that the password of the loyalty file has been 

along with the customer primary account number, the loy- changed to thai o) the loyalty operator/merchant, the rner- 

alty file number to be rented and any other relevant infor- chant will now have access for reading and writing oC that 

mation back to the issuer in real-time over communications loyalty file. In on* embodiment the merchant has exclusive 

neiwoik 204. This communication from the terminal to the 5 access; in other embodiments more lhan one merchant may 

issuer may also occur in conjunction with a payment share a loyalty file, or another entiry such as an issuer may 

authorization, for example, should ihc cardholder be making also have access- Label 306 of the file indicates via the 

a credit payment using an application of the card. The merchant identifier that the merchant is using this file and 

terminal may also be communicating with the issuer or other also Rented? flag 308 indicates to other loyalty applications 

entity for the purposes of incrementing or decrementing 10 that this file is currently in use. 

funds on the card or for other purposes related to the in step 624 the merchant, using any suitable method, 

transaction. In this fashion, the communication back to the makes a payment to the issuer for use of the loyalty file. This 

issuer of the combined result can piggyback onto a irons- payment may take place in any suitable manner such as by . 

action thai would be occurring anyway. . credit card, check, debit from an account, wire transfer, etc. 

In step 6W the issuer recovers the loyalty operator 1$ In a preferred erabodimenl of the invention, the terminal 

password from the combined result. Upon receiving Jrom sends a credit transaction to the issuer from the merchant ro 

the terminal the combined result, the customer primary pay for the use of the loyalty file. This credit transaction is 

account number and the loyally file number to be rented, and similar 10 a credit sent at the end of the day from a merchant 

by virtue of Knowing the technique by which the two through an acquirer 10 an issuer for goods that have been 

passwords were combined on the card, the issuer can recover ^ returned by a customer Unlike a payment transaction in 

the loyalty file password. In this fashion, the loyalty operator which funds from the issuer are transferred to the acquiring 

password has been transmitted in a secure manner back to bank of the merchant, a credit transaction results in a 

the issuer. Of course, other secure techniques may be used. payment being made from the merchant's acquiring bank to 

For example, ibe byalty operator password and/or the the issuer. In this fashion, payment fh)m the merchant to the 

loyalty file password may each be encrypted using. tbe a issuer is made quickly and efficiently. Preferably, this credit 
' encryption key mat is shared between ihe card and the issuer. ' transaction occurs during the same on-line transaction when 

In an alternative embodiment, the issuer may send an the issuer is authorizing use of a loyalty file by the merchant, 

encrypted password to tbc merchant terminal tbat the ter- Thus, a new on-line transaction is avoided and Ibe issuer 

miual is able to decrypt and use as the new merchant receives payment immediately upon allowing access to the 

password instead of Ibe merchant sending its password to ^ loyalty file by the merchant. The step of sending a credit 

the issuer. transaction to the issuer may be performed at any time 

In step 618, ibe issuer creates a secure script using secure during the on-line transaction, may be performed at some 

messaging to replace the loyally file password on the cus- later time in batch mode, beforehand, or may be performed 

tomcx card with the loyalty operator password, 10 change the using a difiereni manner of payment. For example, the issuer 

file label of the loyalty file to a merchant identifier, and to set 35 may decide not to release the script or file password (which 

the Rented? flag to true. In this fashion, the issuer retains allows access to the loyalty file by the merchant) until the 

control over which password is associated with a loyalty file, merchant has iii some way indicated a guaranteed payment 

which is the file label, and whether or not a file is rented. In to the issuer for use of a loyalty file- Alternatively, the 

a preferred embodiment of the invention, the information merchant may batch a number of card rentals and submit 

and commands within ibe script arc encrypted using the < D 1110X11 on a res 1 '!^ basis to aggregate payment, 

shared encryption key between the card and the issuer. FIG. 7 is a flow chart illustrating an example of bow a 

Preferably, the issuer also returns the original password to customer having a card which is enrolled in a merchant's 

prove to the card that the script is genuine. In another byalty program may make use of thai program. Although 

embodiment, secure messaging is used to allow the terminal FIG. 7 is presetted as a separate flow chart, it is likely ihat 

to change the password of the loyalty file; once changed, the 4$ a customer may make use of a loyalty program immediately 

terminal may then change the file label and the Rented? flag upon enrolling in that program (i.e., during thai same first 

on its own. trans action). Of course, once a customer has enrolled in a 

In step 620 the issuer sends this encrypted information merchant's Io> airy program, any subsequent interaction may 

back to the loyalty application software within the terminal. occur as shown in FIG. 7. In step 702 a customer presents 

In step 622 the terminal uses ihc script to replace tbe so his or ber smart card to a terminal for either the purchase of 

password of the available loyalty file with the loyalty goods or services, to take part in the loyalty program, or for 

operator password received from the issuer, to change label other similar reasons as described in step 602. 

306 of the file to the merchant identifier received from tbc In step 704 the terminal searches the card for a loyalty file 

issuer, and to set the Rented? flag 308 to true. Preferably,, the having a labvl 306 that conesponds to the merchant in 

Change Password, Change Label, and Change Rented? 55 question- In step 706 if such a flic is not found, then tbe 

commands are used. The loyalty application software within loyalty interaction terminates. Alternatively, if a loyalty file 

terminal 202 is prevented from changing this information on with the merchant identifier is not found, this indicates that 

its own without authorization of the issuer because of the the customer is cot currently enrolled in the loyalty program 

secure messaging technique used between the issuer and the of tbe merchant. Accordingly, steps £04 and/or 606 may be 

card. 60 performed to determine whether to solicit the enrollment of 

In a preferred embodimem of the invention, each of these the customer. For example, steps 706 and 606 may be 

three parameters associated with the loyalty file must be performed together before making ibe determination shown 

changed successfully before the loyally file can be rented by vn step 604. Many oihcr variations regarding solicitation of 

tbe merchant. If any one of tbe password, label and/or a customer a>id whether or not to enroll a customer are also 

Rented? flag ate not changed successfully, then preferably 65 possible. 

the enrollment terminates and the merchant is not allowed to U will be appreciated at this step in the process that once 

rent a loyalty file. a loyalty file has been identified on ibe card that is being 
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rented by a particular merchant, ibe loyalty application has stored the value in conjunction with the card's primary 

software within the merchant terminal is completely free to account number; or because the issuer derives loyalty file 

perform whatever reading, writing, updating, or other pro- password 302 from the primary account number and the 

cessing of the data within thai loyalty fie for the purposes loyalty file number 304. 

of implementing the merchant's loyally program or for other 5 ^IC. 8C fllusi rates mat once the loyalty operator pass- 
purposes related to a transaction with a customer, By way of WQfd ^ bas tecovBIC d ^ ^ issuer, me encrypted 
czatnpb, if a. loyalty file correspoDdinfi to the merchant IS V9EB9wd ^0 is passeo back to 104 and to loyalty file 
found, then .m step 70S the terminal war* the cwiomcr ^ J Prcfeffl bly. the password is encrypted 

V QUm ^^ ffil^l usbg the encryption key shared ber-cn *suer 102 and card 

who is onioned in the merchant's loyalty program, J0 ^p^^ ^ ^ ^ dccrVpted by mc card and 

As described above, in one embodiment of the invention, slQfcd ^ new file password 302 lor loyalty file, 300. 
the loyalty application software is not able to directly change 

password 302, label 306 or Rented? flag 308 as these are p^hasc Confirmation Embodiment 
under control of the issuer. Similarly, in a preferred 

embodiment, loyalty operator password 302 is required lS illustrates an alternative embodiment 900 in which 

when the loyalty application wishes to either read or write a customer, purchases goods and/or services from a merchant 

data in data portion 314 of the loyalty file. This requirement at a customer pomt-of-omrvenience and then later receives 

ensures that only toe appropriate merchant who is renting a those goods or services by showing appropriate authoriza- 

particuUr loyalty file can either rear! from that file or can tion. In this example, a customer 901 is purchasing an airpne 

write to that filei Such a security measure protects the 20 ticket on-line. C iustomer 901 interacts with a computer 902 

privacy interests of both the customer and flic merchant, and having an associated card reader 904 to communicate with 

ensures that the issuer receives revenue for loyalty files that an airline host computer MO over a telecommunications 

axe rented. The merchant may also decide the level of network 912 such as the Internet. Although customer 901 is 

security needed for each situation, depending upon the card, shown in this example interacting with a personal computer 

business, customer, etc. Data written to a loyalty Tile by a ^ in either home or office, this interaction can also take place 

merchant may be encrypted or not, a the merchant's desire. at a kiosk, in a merchant's stoic, at a self-service terminal, 

Further password protection, challenge-response, etc., may or other environment in which a customer and his or her 

be implemented by the merchant if desired for access to the smart card cprnmunicatc with a merchant, 

rented loyalty fije. Advantageously, the level of security may Using known techniques for purchase requests over a 

be determined or changed by the merchant at any time after 30 telecommtrnica tans network, customer 901 submits a pur- 

enrollxnenl of the customer, and need not be determined chase request 91S 10 host computer 910 including informa- 

before the card is issued. tion such as a purchase request, a primary account number 

In this specific example, in step 710 the terminal uses the of the customer's smart card,, the customer frequent flyer 

Read Data command to read the current cumber of customer Dumber, etc. At this point* host computer 910 may require 

v&is and other information from data portion 314. Process- 35 payment from customer 901 using any of a variety of known 

ing of this information may then occur within the loyalty techniques such as use of a debit -card, a credit card 

application, and in step 712 the terminal updates the number transaction, ck-bit from stored value of a smart card, etc. 

of Visits, shopping habits and other relevant information in Indeed, the smart card that customer 901 has inserted ill card 

the loyally file. An example of die types of information that reader 904 may perform any or all of these functions and 

may be read or updated has been described above with c0 may also include a loyalty ffl^ 

reference to PIG. 4. Of course, other information, transac- Assuming the purchase request is accepted, host computer 

lions and/or financial arrangements may also be recorded in 910 determines an appropriate loyalty file for use on card 

the loyalty file. A wide variety of other updates may also 104 (for example, as explained in FIGS. 6 and 7) and sends 

occur in place of steps 708-712. a response 920 to the customer's card. Response 920 con- 

F1GS . 8A-SC illustrate one specific technique by which a 45 lains any of a wide variety of information for later use by the 

merchant determines ah available file and receives the airline in com inning that customer 901 has in fact paid for 

abihiy to write to and read from that file. In this specific the specified airline ticket. For example, response 920 

example, FIGS, BA-&C illustrate one technique by which includes the flight number, a seal assignment, a confirmation 

steps 606-622 may be implemented. Of course, other tech- number, a frequent flyer number, etc. Tbis infonnation is 
tuques by which an issuer provides access to a file by a 50 stored in loyalty file 986 that the airline is currently renting 

merchant are also possible. FIGS. SA-8C illustrate a portion from the issuer and will be used later to confirm thai the 

of loyalty file 300 showing Rented? flag 308, loyalty file customer has in fact paid for the ticket. The enrollment of the 

number 304, and password 302. FIG. fiAilfustraies a query customer may lake place during this transaction, or may 

from terminal 202 to file 300 as to whether thai particular file have taken place earlier. 

is available for use by the merchant. Because flag 308 has a 55 As an optional level of security, host computer 910 may 

value of false, the card returns yes $12 to terminal 202. also send a challenge 928 to card 104. Card 104 responds to 

FIG, 8B illustrates the transfer of loyalty operator pass- the challenge by encrypting the challenge using the shared 

word 814 from terminal 202 10 card 104. Card 104 theq encryption k*;y (shared between the card and the issuer) and 

combines loyalty operator password 814 with loyalty file returning me encrypted challenge as response 929. Once 
password 302 to produce combined result 816* In this SO response 929 is received at host computer 910, the airline 

example, the two passwords are combined using an XOR may send this challenge-response pair back to the issuer for 

lo&ic function to produce the combined result- This com- confirmation ihal a valid smart card issued by the issuer bas 

bined result 816 is then passed from terminal 202 to issuer in fact responded to host computer 910. Further comparison 

102. The issuer is then able to recover loyalty operator of the PAN, and or other customer information with the 
password 814 by using the same XOR function on combined 65 challenge-nwponse pair and/or the shared encryption key 

re*uli $1$ with loyalty file -password 30Z LoyaUy file can further confirm thai host computer 910 has engaged in 

password 302 i* known to IflC issuer either bCCaUSe IhC iSSUCr a transaction vrilb a valid card nod/or a valid customer. 



PAGE 4W60 * RCVD AT 5/18/2004 3:44:24 PM [Eastern Daylight Time] * SVR:USP70-EFXRF-1/4 * DNIS:8729306 * CSID:3058102460 * DURATION (mm-ss):2(M4 



05-18-04 .15:55 Frora-Hunton aid IVi 1 1 iaras 3058102460 T-279 P.041/060 



US 6,549,912 Bl 
19 * 20 

Once the transaction has been completed between ens- point in lime to a terminal which then reads the previously 

lomcr 901 aod host computer 910, the host computer trans- placed infbnnatipn and provides a benefit to the customer. 

mils to a terminal 930 located at the airline boarding gate the For example, payment for rapid transit using a smart card 

same information ii had previously transmitted to the loyalty with a rented loyally file would cause the rapid transit 

file of the customer's card. This information 932 stored 5 terminal to place a coupon into the loyalty file. The customer 

within terminal 930 in conjunction wjih the customer pri- ?e smart having the coupon stored 

m^ account number (PAN) 934 is used ta confirm when ^^^-^^^^T 

7 . .\ . ' « ity t . . u„ ^ i ,3. s ■ while nding trans-it, a free bus transfer, free admission to an 

r-vl ? enie«a m £fnt srW, etc. The second terminal that reads the 

fuctennded to receive a boards pass. electronic coupon directs a terminal operator or computer to 

When the customer arrives at the boarding gnu*, tbe ip -fo^^p^^^ 

customer smart card * inserted into tennmal 930. Tbe men be msed fiom lhc loyalty file, its value decremented, 

terminal searches for the loyally file on the card corresjiond. clc merchant may control each of the terminals that 

ing to the airline, and reads luformation witmn that file phcc coupon g ^ prpv *fe benefits, or any number of 

regarding the airline ticket that the customer has purchased. merCfian ts may *gree to share a particular loyalty file and its 

Thc FAN from the card is also tea* as well. Next, toe PAN « paSSWOfd fc ^ pJemeflmion of Otis embodiment Tlie loy- 

Irom the card and ibc informatiOD from tbe loyalty file arc a]ty ffle fflay abo ^ us6d ^ ^ a day pass or a monthly 
cwnpared with ibc correspondicg information stored within gQOd for ^ ^ ^ rapid Eacb ^ ^ 

■ the lerrninal for that parucular PAN- Aiming that there is wd ^ prc5tnled , thc tarminal reads tbe loyaltv fi^, 
a match this mdicaies that the cardho^r presenting card flcknow]edgcs the prcfience of lbe p93S , and permits the 
926 a tmeboardinggatc hasinftotalreadypaidfortheucdxt » ^^^^ t ^ eQtcr _ ^ time stamp (or other code) in associa- 
indicated and a boarding pass may be given to the customer. t£on ^ the pass lets the terminal know for how long the 

For. an added level of security, the previously calculated p ate is valid. Once the pass is used up, ii may be deleted 

challenge-response pair thai is in possession of host com- from the loyally file by the terminal* 
puter 910 is also stored within terminal 930. | n 3„ otber embodiment, a reined loyalty file serves as an 

■ Advantageously, terminal 930 need not include complicated electronic version of a customer** identification card for a . 

■ and time-consuming encryption algorithm software, lermi- business or otljcr entity. For example, a library may rent a 
oal 930 simply sends challenge 928 to card 926, As before, loyalty file on a smart card to store the customer's library 
card 926 uses its shared encryption key to encrypt challenge ^ number, the books borrowed, their due dates, any fines 
92$ id produce response 929. This response is men trans- „ outstanding, and other pertinent library information- When 
mined to the terminal. Terminal 930 then merely needs to lbc wnirog l6 return books, the library's rented 
compare the response from card 926 to the response it Has loyally file is ruad by a terminal to assist with book return, 
stored in its own memory. If there is a match, this indicates Upon ou ^ me ipyalry file may be read to ensure that 
that the card currently in the terminal was in fact the card previous books have been returned and that no fines are due. 
that had previously been used to purchase a ticket and the mis embodiment, any type of business or individual 
same in which ticket information had been previously may ^ a loyalty file for customer identification, 
stored. Id an alternative embotf rnem, a secure application lD aQOtocr embodinienu a eroup of m ercbanls may agree * 
module may be. added to the termmal to allow encryption ^ ^ ft part ^ ^ filc for m incemivc ^ 
and decryption within the terminal itsclt Upoo ^^ion of the smart card by a customer to the first 

Alternative Embodiments 40 mercham > a Particular loyalty file is renied for this purpose. 

Alternative EmboOtments ^ paijtss ^ r makcs a ^^tts^ a "total sales" counter 

It should be appreciated that this embodiment illustrated is incremented iu the rented file . This counter is incremented 
in FIG. 9 applies not only to tbe purchase of airline tickets, ' for each purchase the customer makes from one of the 
^ but also to the purchase of a great variety of goods and participating merchants. By prior arrangement, tbe mer- 
scrvicts from a merchant. In general, FIG. 9 ilhisirdtes a 45 chants have agreed upon a loyally file name, password, and 
situation in which a cusiomer using his or her smart card and protocol for incrementing the. counter. Ai thc end of 
a card reader is able to purchase goods and/or services from program, the customer is rewarded with a special gift if tbe 
a merchant and to receive confirmatory information to be counter has reached a certain amount, 
stored within a loyalty filc of the customer's smart card. At In another oonwdimcm, a loyalty file on a smart card is 
a later dale, or in a different location, thc customer then so used for access control- For example, smart cards issued to 
merely presents the smart card having the confirmatory employees of a company may store employee information in 
information stored within the loyalty file and tLdsiafonna- a loyalty file mat permits access to certain areas of the 
lion is compared to information received from a merchant company. The loyalty file structure used need not be ixnple- 
compntcr 10 determine in fact mat the customer presenting mented on specially issued smart cards, but may be pan of 
ibe card is due tbe appropriate goods and/or services. The 55 an employee's everyday credit or dcbU card, or corporate- 
goods and/or services may then be released 10 the customer. issued card diat inclndes an integrated circuit suitable for 
Furthermore, this embodiment, need not be limited to implementing the present invention, 
purchases, but may also be used whenever important or Although lbe foregoing invention has been described in 
sensitive information needs to be transmitted to a customer, some detail for purposes of clarity of understanding, it will 
stored within a loyalty file within that customer's smart card, ^ be apparent that certain changes and modifications may be 
and then be read and confirmed at later date or in a different practiced wiihin the scope of the appended claims. For 
place using a card reader device. The loyalty file may also instance, a loyalty file may be implemented on a magnetic 
be used as a travel voucher, cusiomer profile, etc. stripe card as well as on an integrated circuit card. AJ50, any 
In one embodiment a purchase by a customer at a mcr- entity other than an issuer may exercise control over use of 
chant triggers the terminal 10 place a "coupon", "time 6S loyalty files, and may provide access 10 the files by a 
stamp" or— confirmation of purchase" into a rented loyiilry merchant usiog many -techniques. In addition, enrollment 
file. The customer may then present the smart card at a later and/or data update of a loyalty file need not take place at a 
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merchant site, bin could occur over the Internet or other 
network, at an ATM, at a kiosk, tictet counter, etc, A loy alty 
file and its com cd 13 may take many forms, ihe file described 
herein is merely one example* Also, card issuance can be 
performed by many differed parties, by a single party, by a 5 
merchant or partially over the Internet- Other applications 
include: vehicle identification, licenses, passes, electronic 
payment, luggage identification, etc. It 5bduld.be apparent 
thai the present invention has an almost limitless range of 
applications and that it would bo difficult to describe all of 10 
them in a single documeni; however, the reader will appre- 
ciate the broad scope of the invention. Therefore, the 
described embodiments should be taken as illustrative and 
opt restrictive, and the invention should not be limited to the 
details given herein but should be defined by the following is 
claims and their full scope of equivalents. 
I claim: 

1. A system tbat facilitates implementation of a loyalty 
program by a merchant, said system comprising: 

a smart card including a data file and an associated file 20 
password necessary to access said data file, said data 
file oot accessible by said merchant without authoriza- 
tion from an issuer, said smart card being issued to a 
customer by said issuer, 

a card reader device that reads from and writes to said 25 
smart card and is associated with said merchant; 

a communications network connecting to said card reader 
device; and 

an issuer computer under control of said issuer connected 20 
to said communications network, said issuer computer 
being arranged to accept a request from said merchant 
for access m said data file, and being further arranged 
to transmit an authorization to said card Teader device 
to allow said merchant to access said data file of said 3S 
smart card with the permission of said customer, said 
authorization operating in allow the replacement of said 
file password with a merchant password known to said 
merchant, whereby said merchant may use said data file 
for implementation of said loyally program for the 40 
benefit of said customer. 

2. A system as recited in claim 1 wherein said request 
from said merchant is sent in real time to said issuer 
computer and wherein said issuer computer transmits said 
authorization m real time back to said card reader device 45 
while said customer associated with said smart card is 
waiting. 

3. A system as recited in claim 1 wherein said merchant 
transmits 10 said issuer a credit transaction using an existing 
settlement system in exchange for said authorization from 50 
said issuer- 

4. A system as recited in claim 1 wherein said card reader 
device is a merchant terminal that includes loyalty applica- 
tion software for implementing said loyalty program, said 
merchant terminal being arranged to transmit said request to 55 
said issue/ and to receive said authorization from said issuer 
in real time. 

5. A system as recited in claim X wherein said data file of 
said smart card includes: 

a file password, knowledge of which is necessary to 60 

access said data file; and 
a rental indicator indicating whether or not said data file 

is being used by a mercbapt- 



6. A method of enrolling a customer of a merchant in a 
loyalty program, said method comprising: 

accepting at & card reader device associated with said 
merchant a smart card of said customer thai has been 
issued by an issuer, said smart card including a data file 
and an associated file password necessary to access said 
data file, said data file not being accessible by said card 
reader devise; 

transmitting 10 an issuer of said smart card via a commu- 
nications network a first message indicating the desire 
by said merchant to gain access to said data file of said 
smart card; and 
receiving from said issuer a second message including 
data thai allows said card reader device to gain access 
10 said data file of said smart card with the permission 
of said customer, said data of said second message 
operating to allow the replacement of said file password 
with a merchant password known to said merchant, 
whereby said merchant may use said data file' for 
implementation of said loyalty program for the benefit 
of said customer. 

7. A method as recited in daim 6 wherein said elements 
of transmitting and receiving occur in real time while said 
customer is waiting- 

ft. A method as recited in claim 6 further comprising: 
trarjsmiiting from said merchant to said issuer a credit 
transaction using an existing settlement system in 
exchange for access to said data file. 

9. A method as recited in claim 6 wherein said card reader 
device is a merchant terminal that includes loyalty applica- 
tion software J or implementing said loyalty program, said 
merchant terminal performing said elements of transmitting 
and receiving in real time while said customer is wailing. 

10. A method as recited in claim 6 wherein said data file 
of said smart card includes a file password and a rental 
indicator, said method further comprising; 

reading said rental indicator of said data file 10 determine 
that said data file is not accessible by said card reader 
device; and 

replacing said file password of said data file with a 
mercbam password received in said second message 
from said issuer, said merchant password being known 
to said merchant, whereby said merchant gains access 
to said data file. 

11. A method as recited in claim 6 wherein said smart card 
includes a plurality of data files that have been prcinstallcd, 
said method further comprising: 

searching through said data files to find said data file, said 
data file being available for use by said merchant; and 
replacing * file password associated with said data file 
with a password known to said merchant, whereby said 
merchant gains access to said data file. 

12. A method as refined in claim 6 further comprising: 
accessing said first data file using said merchant pass- 
word; and 

updating data within said data file of said smart cord with 
information relevant to a transaction between said 
customer and said merchant, whereby said merchant 
password allows said merchant to implement said loy- 
alty program using said first data file. 
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